Description of problem:
The file context configuration generated by `genhomedircon` overrides the
file context configuration provided by a package even if the package context
is for a more specific path. This violates the principle of least surprise.
Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-3.el5
How reproducible:
100%
Steps to Reproduce:
1. Assume that you want to override the default type of
~putz/public_html/complex.cgi
to be httpd_unconfined_script_exec_t (for use with restorecond) and
that the SELinux policy is being managed via a SELinux package.
2. Create a policy package with an entry of:
/home/putz/public_html/crud.cgi --
user_u:object_r:httpd_unconfined_script_exec_t:s0
3. Create a TE file (can be pretty much empty)
4. Compile into a module with checkmodule and load with semodule
5. Running `semanage fcontext -l | grep complex.cgi` will show as expected:
/home/putz/public_html/complex.cgi regular file
user_u:object_r:httpd_unconfined_script_exec_t:s0
Actual results:
Checking the default SELinux security context with `matchpathcon` will give a
type of `httpd_user_content_t`.
Expected results:
For `matchpathcon` to return a type of `httpd_unconfined_script_exec_t`.
Additional info:
The default context is being overridden by the contents of
`/etc/selinux/targeted/contexts/files/file_contexts.homedirs`
Running `semanage fcontext -a -f -- -t httpd_unconfined_script_exec_t
/home/putz/public_html/complex.cgi` will
change the default type as expected.